Microsoft Office 365 Attacks Sparked from Google Firebase


Thread author
Staff member
Malware Hunter
Jul 27, 2015
A phishing campaign bent on stealing Microsoft login credentials is using Google Firebase to bypass email security measures in Microsoft Office 365, researchers said.

Researchers at Armorblox uncovered invoice-themed emails sent to at least 20,000 mailboxes that purport to share information about an electronic funds transfer (EFT) payment. The emails carry a fairly vanilla subject line, “TRANSFER OF PAYMENT NOTICE FOR INVOICE,” and contain a link to download an “invoice” from the cloud. Clicking that link begins a series of redirects that eventually takes targets to a page with Microsoft Office branding that’s hosted on Google Firebase. That page is of course a phishing page, bent on harvesting Microsoft log-in information, secondary email addresses and phone numbers.
“This email attack bypassed native Microsoft email security controls,” the researcher noted. “Microsoft assigned a Spam Confidence Level (SCL) of ‘1’ to this email, which meant that Microsoft did not determine the email as suspicious and delivered it to end-user mailboxes.” For one thing, the redirect flow is complex, which helps mask the malicious nature of the messages, according to Upadhyaya, who noted that this kind of obfuscation is a common tactic to thwart security defenses that check for fake login pages.
More on Firebase attacks also here :